Created
November 1, 2025 15:48
-
-
Save williamzujkowski/90a547307bb8d0158bcadc43b86df18f to your computer and use it in GitHub Desktop.
Grype vulnerability scanner configuration with ignore rules and severity thresholds
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Grype Vulnerability Scanner Configuration | |
| # Source: https://williamzujkowski.github.io/posts/2025-10-06-automated-security-scanning-pipeline/ | |
| # Purpose: Configure Grype scanner with ignore rules and severity thresholds | |
| # Usage: Save as .grype.yaml in project root | |
| # Exclude false positives | |
| ignore: | |
| - vulnerability: CVE-2023-12345 | |
| reason: "Not applicable - feature not used" | |
| expiration: 2025-12-31 | |
| - vulnerability: GHSA-xxxx-yyyy-zzzz | |
| package: | |
| name: "lodash" | |
| version: "4.17.20" | |
| reason: "Testing environment only" | |
| # Configure severity thresholds | |
| fail-on-severity: high | |
| # Scope what to scan | |
| scope: all-layers | |
| # Output formatting | |
| output: json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment